[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Yet Another Beginner Question

To: "Mark Lehrer" <mark@knm.org>, <openldap-software@OpenLDAP.org>
Subject: RE: Yet Another Beginner Question
From: "Howard Chu" <hyc@highlandsun.com>
Date: Fri, 29 Mar 2002 01:36:09 -0800
Importance: Normal
In-reply-to: <200203282347.g2SNl2b22494@home.knm.org>

> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Mark Lehrer

> Also, what is the best way to deal with keeping both the ldap database
> and /etc/passwd, /etc/shadow, and /etc/group, /etc/aliases in sync?  I
> would prefer to keep using the standard adduser tools, and vi to
> handle the aliases; would it make sense to have an periodic cron job
> blow away the LDAP info and re-load it, or is it better to re-generate
> these files from the LDAP database?

The best thing to do is to avoid the synchronization step in the first
place.
PAM/NSS solutions have already been discussed in someone else's reply. To
keep your existing standard adduser tools working, I suggest using an LDAP
backend that parses /etc/passwd et. al directly. Symas Corp. has a UnixAuth
agent that does exactly this, presenting an LDAP read/write interface to
the /etc/passwd, /etc/shadow, and /etc/group files. Ours is fairly
efficient,
written in C, but you could achieve most of the functionality using
back-shell or back-perl and some parsing scripts. We also handle
/etc/aliases and several
other sendmail config files directly. PAM has got a lot of momentum behind
it, but we believe there's value and security in non-invasive solutions that
keep your existing infrastructure intact, while still making it more
manageable.
Reliability is a big reason to take our approach; you'll always be able to
login even if your LDAP service or network connection dies. Compatibility
and performance are two more reasons; NSS searches thru LDAP can be slow and
the NS Cache Daemon is not known for its reliability, and there are still
programs out there that like to use fgetXXent() to walk thru the tables.

Note that rolling your own solution here probably isn't something you should
do as an LDAP beginner, unless you're already proficient with shell or perl
programming, and you're comfortable setting up slapd ACLs to protect the
information you're exposing. Making a mistake on the ACLs could be
disastrous.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support

Follow-Ups:
- RE: Yet Another Beginner Question
  - From: Jan-Piet Mens <jpm@Retail-SC.com>

References:
- Yet Another Beginner Question
  - From: Mark Lehrer <mark@knm.org>

Prev by Date: Re: Yet Another Beginner Question
Next by Date: RE: Yet Another Beginner Question
Index(es):
- Chronological
- Thread